Big Data and smart technologies after the EU General Data Protection Regulation

August 2016 | SPECIAL REPORT: TECHNOLOGY RISK MANAGEMENT

Financier Worldwide Magazine

August 2016 Issue

Collecting and storing enormous quantities of data from various sources and purchasing it from other operators are definitely not new inventions. For the past two years, the Internet of Things (IoT) has been on the highest peak of Gartner’s Hype Cycle for Emerging Technologies. The hype about IoT and Big Data is, however, mostly about the business possibilities deriving from analysing, combining, managing and utilising the data in various innovative ways.

In 2015, many big players in the technology field took strategic steps to turn the IoT and data analytics hype into real actions and the report of Technology Business Research Inc. from April 2016 shows that total growth of IoT revenues for the 21 benchmarked IoT companies in Q4 of 2015 was almost 15 percent.

While companies are continuously seeking new opportunities to benefit from data, the European Union’s take on data protection is becoming stricter. The EU’s General Data Protection Regulation (GDPR), which will take effect on 25 May 2018, imposes new obligations upon personal data controllers and processors and grants stronger rights to individuals. The impacts of the GDPR on data centric industry fields cannot be overlooked. Several new obligations should be taken into account, and a few of the trickiest ones for operators collecting and processing personal data on a large scale include the higher requirements concerning data subjects’ consent as well as data subjects’ ability to restrict the processing of their personal data and even to prohibit processing activities such as profiling from taking place altogether. Data controllers are also subject to a new accountability requirement; the controller must be able to verify its processing actions afterwards and show compliance with the GDPR at any time.

At present, the biggest emerging technology trends include different kinds of data management tools and smart devices that not only collect and transfer data, but also analyse it onsite and make immediate decisions based on these analyses. The aggregated data can then be automatically transferred to the next stage of production or disclosed to an outside party, such as the company’s business partners. If these data flows include information relating to an identified or identifiable natural person, privacy alarm bells should sound immediately.

Firstly, according to the new regulation, automated decision making that may have legal impacts upon data subjects, requires the data subjects’ consent or a justification on other specific legal grounds as set out in the GDPR or in national legislation. Secondly, the data subjects should be informed of the processing in a transparent manner and also of, e.g., the logic behind the decision-making process. In addition, the data controller should, even before starting the automated decision-making process, conduct a privacy impact assessment regarding the privacy risks that the processing might pose to the data subjects. This impact assessment should be then utilised to define the organisational and technical steps and solutions necessary to ensure compliance with the GDPR.

At first glance, these new requirements may be seen as hindering companies’ possibilities to take advantage of the personal data they possess. According to a study by Ipswitch, in 2015 more than 77 percent of British companies considered GDPR a burden upon their business operations. Similar industry views were represented in a Finnish report published by the Council of State in April 2016. Finnish companies consider that a lack of knowledge on how to cost-efficiently turn the collected data into business accelerating assets, while complying with the regulatory obligations, to be one of the biggest obstacles to the full exploitation of Big Data technologies. Despite this widespread industry concern, however, one of the main goals of the GDPR is actually to enable a more functional information economy within the European Union. Accordingly, a deeper analysis of the GDPR reveals that complying with the regulation might actually benefit companies’ information management and create new business opportunities.

A great deal of planning is required to fulfil all privacy obligations. However, at the same time a large amount of planning is also necessary in order to determine what kinds of data and what types of processing are beneficial for a company’s business. For many companies the planning for both privacy obligations and data processing strategic planning could be combined in a single planning process, resulting in considerably reduced costs related to such planning processes. The exponentially growing amount of collected data and the complex applications utilising it require new innovations in management of the created data sets and the workflows relating to the data processing. Those same innovations could be also used for data privacy purposes.

The key to such use lies in finding the interconnections between privacy issues and commercial questions of data collection and management. By doing this, companies can avoid having to perform future updates and additional implementations of several separate privacy tools, thereby saving a lot of time, trouble and money in the long term. For example, the privacy impact assessment can be conducted at the same time as a more comprehensive data flow mapping project, or data protection functionalities may be implemented within an IoT platform instead of a separate privacy tool. Many of the new privacy obligations can actually be achieved through diligent data management and up-to-date monitoring practices, which are also essential parts of a functional data collection and management solution. Metadata such as information on the type of data collected, sources of the data, where the data is transferred, how it is processed and when it could or should be deleted, is essential for a data controller’s compliance requirements, and it also helps companies use any kind of data more efficiently. Enhancing privacy means enhancing business operations in a profound way.

Especially in the field of consumer driven IoT and smart technology services and products, compliance with the new requirements may be turned into a commercial benefit. Good data privacy planning and implementation can reinforce customers’ trust in the supplier, help personalise products and services and also give new insights into consumers’ habits and preferences. The customer interface may be designed to help facilitate the information flow both ways and work as a channel to maintain the consents and restrictions related to personal data.

Transferring the control of personal data to the data subjects themselves also means a reduced administrative burden for the data controller. Even if the data subject eventually refuses to give his or her consent to personal data processing, the data may still have value in an anonymised form. At the end of the day, Big Data analytics, IoT solutions and smart technologies are about developing innovative ways to utilise all kinds of data. In a field where applicable regulation is static, it is the operators and their solutions that must remain dynamic.

Ultimately, compliance with the GDPR requires thoughtful and well-planned resourcing, especially as compliance obligations come due over the next few years. Some kind of investment in data privacy and compliance is inevitable. However, we want to believe that, so long as such investment is in a considered manner and is directed toward the right operations, it will turn into positive revenue in the near future.

Eija Warma is counsel and Anna-Sofia Kivi is an associate at Castrén & Snellman. Ms Warma can be contacted on +358 20 7765 376 or by email: eija.warma@castren.fi. Ms Kivi can be contacted on +358 20 7765 486 or by email: anna-sofia.kivi@castren.fi.